fix(cooldown): unblock v2.0.2 consumers by inlining scripts and reordering gate

[j7an]

Summary

• Removes the runtime actions/checkout of j7an/shared-workflows from dependency-cooldown.yml — the root cause of v2.0.2 scan job fails on every consumer PR — Checkout shared-workflows scripts step resolves github.workflow_sha to caller context #29 (caller-context ${{ github.workflow_sha }} resolved to the consumer's PR merge SHA, which doesn't exist in shared-workflows)
• Inlines scripts/extract-deps.sh and scripts/check-release-age.sh as subshell functions in the workflow body, preserving the subprocess scope semantics via paren function syntax (fn() ( ... )) so the standalone set -e[uo] pipefail options stay contained
• Reorders the step sequence so Set initial status runs immediately after Harden runner, before any fallible step. Adds a 6-line gate-discipline policy comment above jobs.scan.steps codifying the invariant for future authors
• Adds scripts/check-inline-sync.sh and a new inline-sync CI job in ci-scripts.yml that enforces byte-for-byte parity between the inline copies and the standalone scripts on every PR — any future drift fails CI loudly
• Adds a tripwire comment near the check_release_age call site documenting that command-substitution invocation is load-bearing for per-row error tolerance (a refactor to a direct call would silently kill the step on the first 404/parse failure)

Test plan

• bats tests/extract-deps.bats tests/check-release-age.bats — green (8/8)
• ./scripts/check-inline-sync.sh — green (both inline copies match standalone byte-for-byte)
• python3 -c 'yaml.safe_load(...)' on both touched workflow files — green
• grep -nE '(shared-workflows/scripts|github\.workflow_sha|j7an/shared-workflows)' .github/workflows/dependency-cooldown.yml — zero matches
• shared-workflows CI: Script Tests / bats — green
• shared-workflows CI: Script Tests / inline-sync — green
• shared-workflows CI: Dependency Cool-Down / cooldown / scan (self-consumption via ci-cooldown.yml) — green
• Cross-repo non-bot validation: a non-bot-author PR on a real consumer repo pinned at this PR's head SHA ends at dependency-cooldown / gate = success with description `Non-bot PR — no cool-down required`
• Cross-repo Dependabot validation: a dependabot[bot]-author PR on the same consumer pinned at this PR's head SHA reaches `success` or `pending`, never `error`, with the inlined functions visibly executing in the scan logs

Why cross-repo validation is non-negotiable

Per #29's post-mortem, the self-consumption caller at `.github/workflows/ci-cooldown.yml` uses a local-path `uses: ./...` reference, which makes the caller repo the same as the checkout target repo and masks caller-context bugs by structural coincidence. PR #28 went green here on shared-workflows CI and still shipped broken to every cross-repo consumer. This PR's CI passing is necessary but not sufficient — the cross-repo checkbox above is the actual proof. Companion smoke-test infrastructure to close this gap is tracked in #30.

Post-merge operator checklist

This repo's release pipeline is intentionally not auto-reactive on merge:

1. Squash-merge this PR to `main` (the title `fix(cooldown): ...` becomes the squash commit subject — load-bearing for the patch bump)
2. Manually dispatch `Tag Release` workflow on `main` with `bump=auto` — this analyzes commit subjects, computes `v2.0.2 → v2.0.3` patch bump, and pushes the tag
3. `release.yml` fires reactively on the tag push, force-updates floating `v2.0` and `v2` tags, and publishes the GitHub release with autogenerated notes
4. Watch the next Dependabot bump cycle — consumers pinned to `v2.0.2` will receive a PR bumping to `v2.0.3`. The first such PR's `dependency-cooldown / gate` must reach `success` or `pending` for the release to be considered validated end-to-end

If step 4 reveals a regression, the rollback is: `git tag -d v2.0.3 && git push --delete origin v2.0.3`, then revert the merge commit on `main` via a new revert PR (do not force-push). Detail in the spec at `docs/superpowers/specs/2026-04-12-issue-29-v2.0.3-emergency-fix-design.md` section 9.

Out of scope (tracked in #30)

Companion durability work that explicitly does NOT belong in this emergency fix:

• Cross-repo smoke test repo (`shared-workflows-e2e` or equivalent)
• Caller-context lint rule (`ast-grep`/`actionlint`-based check forbidding `ref: ${{ github.workflow_sha }}` in `workflow_call` files)
• README "Known caller-side constraints" section documenting which GitHub context variables this workflow does and does not rely on
• `tests/fixtures/` canonical caller workflow YAML for the lint rule and smoke test to consume

These three layers of defense compose to make #29's bug class structurally impossible to reintroduce. v2.0.3 ships the immediate fix; #30 ships the durability infrastructure as a follow-up.

Pre-existing findings surfaced by parallel review (NOT blocking)

Four parallel pr-reviewer agents (security, correctness, CI/release, consumer-compat) reviewed this branch and surfaced several Info/Low findings that pre-date this PR and are explicitly not introduced by it:

• `jq` filter interpolation for `EXISTING_COMMENT_ID` could use `--argjson` for defense-in-depth (already-in-repo pattern)
• Unquoted `for ACTION in $ACTIONS` loops would benefit from `while read` (already-in-repo pattern)
• `egress-policy: audit` could be tightened to `block` with an allowlist on the `ci-scripts.yml` jobs (not a regression)
• `persist-credentials: false` could be added to `ci-scripts.yml` checkout steps (consistency with `security.yml`)

None of these block the v2.0.3 release. They are candidate hardening for a separate follow-up PR or for #30.

Fixes #29.